Challenges in
Computer Forensics
Rebecca Mercuri, Ph.D.
Presentation for Villanova University
Department of Computing Sciences
April 2006
www.notablesoftware.com
Definition of Computer Forensics
The use of analytical and investigative
techniques to
identify
collect
examine
preserve
evidence and/or information that is
magnetically stored or encoded.
(From www.computerforensicsworld.com)
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Sources of Computer Forensic Data
Generated or stored by a computational device:
 Personal, mid-sized or mainframe computers
 File servers
 Network devices, routers
 PDAs, phones
 Telecom, faxes, voicemail, email
 Photographic and video cameras
 Scanners
 Vehicle “black-boxes”
 etc ...
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computer Forensic Investigations
Address the analysis and reporting of
digital evidence after an incident has
occurred, with the goal of preparing
“legally acceptable” materials for
courtroom purposes.
(From www.aic.gov.au)
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Some Types of Matters
 Civil (Business, Personal)
Criminal
 Contractual
Personal injury
 Financial
 Performance
 Marital
Murder
Violence
Endangerment
 Employee
 Ownership
 Patents/Copyrights/Trademarks
 Property
 Governmental / Municipal
 Regulatory
 Standards
Theft
Fraud
Destruction of property
Conspiracy
Contraband
Threats
Terrorism
 Legislation
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Misuse of Computer-Based
Services

Breaches
 Firewall Circumvention
 “Hacking”
 Spyware / Harvesting
 Data
 Passwords
 Operator Privileges
 Viruses / Trojan Horses / Timebombs
 Algorithm Cracking
 Phone Service
 Spam
 DDoS Attacks
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
How Evidence can be Obtained
Sources:
Approaches:
 Court order
 confiscation warrants
 subpoena
 Voluntary submission
 owners
 whistleblowers
Broad versus Targeted
Data mining
Profiling
Negotiation
 Surveillance
etc ...
 monitoring
 Luring (“honey-pots”)
 entrapment
 etc ...
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Chain of Custody
Digital Custody Issues






Possession
Impounding
Access
Duplication
Audit Trail
Privacy
Federal Rules of Evidence
Admissibility of Duplicates (Rule 1003)
“a counterpart serves equally as well as the original, if the
counterpart is the product of a method which insures
accuracy and genuineness.”
Many State codes are modeled after Federal
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
The Perfect Crime
 Occurs invisibly.
 Weapon is part of regular toolset.
 Potential suspects and prosecution witnesses are
allowed to tamper with the crime scene before and
while evidence is collected.
 Chain of custody of evidence is not preserved.
 Derivative evidence is not from the original source.
 Critical evidence is prevented from disclosure.
 Incorrect suspect is charged.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Authentication
 Time and date stamps
 fairly easy to alter or forge
 Hash values
 more difficult to change
 may not reflect original contents
 Process
 tools
 witnesses
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Forensic Computing Tools
Need to:




Examine stored visible and hidden files
Deleted/unallocated and slack data spaces
Recover contents of encrypted or encoded materials
Maintain integrity and authenticity
• EnCase
• Unix/Linux Applications Software
• Home-brew
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Experts
 “Black” versus “white” hats
 Need to demonstrate expertise to court
 Publications
 Certification, education, training
 Experience with case specifics
 Prior testimony on relevant matters
 Opposition will try to impune testimony
 Media “spin” can affect outcome
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Regional Computer Forensic Labs
 Joint effort
 U.S. Federal Bureau of Investigation
 State Police
 13 located around the country
 Impounding and analysis facilities
 Resident investigators
 Training of prosecution forensic examiners
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Discovery Efforts
 Application of inductive reasoning to determine
“what is or was”
 Use of deductive thinking to intuit
“what is not or was not”
 Often there is little symmetry between the
inductive and deductive aspects of a case
 Time limitations require focused, directed searches
 Reveal enough to support your case without
helping the opposition
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Examples
 Computer-related crime
 Notable Software’s casework
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Digital Millennium Copyright Act
(DMCA)
 The DMCA was enacted by the U.S. Congress in 1998 to
protect copyright content.
 Prohibits circumventing any technology that controls
copying, and publishing or distributing any technology,
product, or tool that circumvents copy-control
technology.
 These prohibitions are having repercussive effects on
scientific analysis, research, and publication.
 Scientists and technologists conducting research in
forensics or other computer security areas face risks of
legal liability simply for reverse engineering security
measures and for reporting the results of their efforts.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Freedom to Tinker
Ed Felten (Princeton U.) and colleagues:
Withdrew a paper from a conference that would have
contained a recipe for breaking the Secure Digital Music
Initiative digital watermark technology, following legal
pressure from the entertainment industry.
http://www.freedom-to-tinker.com
Dmitry Skylarov, Russian programmer:
Arrested by the FBI during his presentation at the DefCon
hacker show for violation of DMCA in cracking Adobe
System’s eBook format.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
RIAA Lawsuits
Brianna LaHara, 12-year-old, sued for
downloading music, $2,000 settlement fine.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Total/Terrorism Information
Awareness (TIA)
 Involves the creation of a computing system under
the auspices of the Defense Advanced Research
Projects Agency (DARPA) that can search public
and private databases for information on individuals.
 Issues include:




Privacy violations
Targeting (US vs. foreign citizens)
Misuse of information
False positives
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computer Policy Organizations
 EPIC http://www.epic.org
The Electronic Privacy Information Center is a Washington D.C.
based research group. It was established to focus public attention
on emerging civil liberties issues and to protect privacy, the First
Amendment, and constitutional values.
 EFF http://www.eff.org
The Electronic Frontier Foundation is a donor-supported
membership organization working to protect fundamental rights
regardless of technology by opposing misguided legislation,
initiating and defending court cases preserving individuals' rights,
launching global public campaigns, introducing leading edge
proposals and papers, hosting frequent educational events,
engaging the press, and publishing a comprehensive archive of
digital civil liberties information.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Selected Notable Civil Cases
 Investigation of a law firm’s accounting information by
the NJ State Office of Attorney ethics, to determine
whether escrowed funds had been misused.
 Examination of source code used in the construction
of an MPEG decoder chip set, to see if patents had
been violated.
 Evaluation of the contents of a database to determine
the cost of its production, as mitigating evidence in a
large financial disagreement between business
partners.
 Consideration of possible foul play by a former
company employee, in the damage of computer
records.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Selected Notable Criminal Cases
For the NJ Office of the Public Defender:
 Murder investigation involving pedophiles, child
pornography, and the use of the Internet
 Examination of digital evidence to corroborate or
deny prosecution theories in murder case
 Child pornography possession casework
 Reconstruction and analysis of imagery
 Determination of source and acquisition
 Child endangerment casework
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Florida 2000
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Florida 2002
Florida spent over $125M to update its voting systems
-- but, in their elections using the new equipment:






Precincts failed to start on time
Thousands of votes “vanished”
Ballots were tabulated incorrectly
Machines “locked up”
A state of emergency was declared
Lawsuits were filed
and Mercuri was called on (again) to testify
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Election Testimony and Briefings
 Federal, state and municipal hearings
 U.S. and abroad
 Committees
 U.S. House Science Committee
 U.S. Commission on Civil Rights
 Election Assistance Commission
 Lawsuits
 Meetings with legislators and election officials
 Standards development
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computers and Public Policy
The ubiquity of computer technology in our daily lives has
resulted in an increase in public policy initiatives related to use.
Such initiatives often tend to be “reactive” rather than “proactive”
in nature.
Reactive policies are often met with resistance, from vendors as
well as users, who want to continue doing things as they were.
The definition of what is and isn’t “legal” is often grounded in
politics and public policy.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Encryption
 The widespread use of strong encryption is fundamental to
the protection of critical infrastructures and should not be
impaired by the establishment of a mandatory key-escrow
system or imposition of "backdoors" in the algorithms.
 There are technical reasons to believe that such restrictions
are both unworkable and unenforceable.
 Some researchers believe that attempts to restrict encryption
could hurt legitimate U.S. security needs and damage the U.S.
economy.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Pretty Good Privacy (PGP)
Philip Zimmerman created PGP, a freely distributed software
download, based on the public-key encryption method.
The U.S. Government sued Zimmerman for making it
available to foreign enemies.
Use or possession is illegal in some countries (including
Russia, China, France, Iraq, and Iran).
http://www.pgp.com
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Uniform Computer Information
Transactions Act (UCITA)
 Proposed uniform state law that would cover
online transactions involving computer
software, multimedia products, data, etc.
 May permit vendors to ban users from:
 Comparing software
 Publicizing information about insecure products
 Reverse engineering
 Prevent remote disabling of software
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Lobbying
The art of influencing legislators or other
public officials to support or oppose a
particular cause.
May involve drafting of legislation (bills)
and amendments along with committee
work to refine wording.
http://www.democracyctr.org/resources/lobbying.html
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Categories of Legislators
 Champions
 Allies
 Fence Sitters
 Mellow Opponents
 Hard Core Opponents
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Inside Lobbying
 Meetings with lawmakers and legislative staff
 Providing analysis and information to
committees and legislative offices
 Testifying in committee
 Negotiating with policymakers and other
lobby groups
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Outside Lobbying
 Changing public opinion and creating awareness
 Media activity, including news conferences, editorial board
visits, and assisting reporters with stories
 Visits by constituents to their legislators
 Letter writing campaigns to legislators
 Building broad and diverse coalitions
 Networking with other grassroots groups (such as
www.moveon.org, www.democracynow.org)
 Conducting grassroots activities such as rallies, town
meetings and meet-ups, etc.
 Lawsuits to establish case precedents
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computer Public Policy Groups
 US-ACM http://www.acm.org/usacm
Public Policy Committee of the Association for Computing Machinery. Assists
policymakers and the public in understanding information technology issues
and to advance a policy framework that supports innovations in computing
and related disciplines.
 IEEE-USA http://www.ieeeusa.org
Organizational unit of the Institute of Electrical and Electronics Engineers,
Inc. Recommends policies and implements programs intended to serve and
benefit the members, the profession, and the public in the United States in
appropriate professional areas of economic, ethical, legislative, social and
technology policy concern.
 FIPR http://www.fipr.org
The foundation for Information Policy Research is an independent body that
studies the interaction between information technology and society. Its goal
is to identify technical developments with significant social impact,
commission and undertake research into public policy alternatives, and
promote public understanding and dialogue between technologists and
policy-makers in the UK and Europe.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Concluding Thoughts
 Current evidence impounding modalities favor
the prosecution.
 Prosecution examiners/witnesses are being
mass-produced.
 Improved tools can give a defense laboratory
some “edge.”
 Computer forensics is an art as much (if not
more so) than it is a science.
 You can fight City Hall, but probably not by
yourself.
 Fascinating and growing field where everything
you know can, and will, be applied to your work.
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com
For More Information...
Rebecca Mercuri
mercuri@acm.org
www.notablesoftware.com
Challenges in Computer Forensics
Copyright © 2006 Rebecca Mercuri
www.notablesoftware.com